Common practice is to find use simple "fuzzing" techniques on public domain script and "inurl:" searches with google or bing.

It's really easy to write a PERL script looking for common vulns.

PERL you want to look for stuff like:

open()

system()

exec()

Anything that passes commands to the operating system, uploads anything. Or even writes to - and names a file. For example, if a script writes form data to a text file.... Then names the file something like <user name>.txt, you could try creating a user named pwner.php๴. If encoded and terminates reading it with a null string, it might execute. When the file is written, and decoded it would be: pwner.php%00.txt.

To execute from commands for POST and GET requests, it's common to use ";" "&&" "|", or even an encoded version of each. Anything that will properly execute additional commands. Kind of like a union select statement and commenting out the rest of the old SQL in MySQLi attacks.

Share this post

Link to post

Share on other sites

If searching for Ruby vulns, try and find anywhere `eval` is being used. Eval sends a string as a message to another object for creating dynamic code -- really useful, but really dangerous if you let unsanitized strings in. Also, apparently the ActiveRecord `order` method is vulnerable to SQL injection...so if that's being populated with a POST or GET, you can inject on it.